The US Department of Defense updated their main website (OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) ( to include an updated CMMC Model consistent with the information released on Nov. 4 about CMMC 2.0. They also released scoping guidance for CMMC 2.0 Levels 1 and 2, and a hashing approach for preserving evidence.

Among other changes, Level 2 of CMMC 2.0 drops the 20 “bespoke” CMMC controls that had been in Level 3 of CMMC 1.0, meaning it is limited to the 110 controls defined in NIST SP 800-171. The CMMC domains are also reorganized, with 3 of the domains (Asset Management, Recovery, and Risk Management) dropped. CMMC 2.0 also adopts a new numbering scheme for each practice (DD.L#-REQ, where DD is the domain abbreviation, L# is the level number (e.g., L2), and REQ is the NIST SP 800-171 or 800-172 security requirement number).

Do you need help complying with the CMMC 2.0 requirements? Our free tool can help! Download your copy below.

If you want to implement a more robust tool, consider FutureFeed. FutureFeed is a CMMC Information Institute sponsor.